CVE-2026-32309

Name of the Vulnerable Software and Affected Versions Cryptomator versions prior to 1.19.1

Description Cryptomator encrypts data stored on cloud infrastructure. The Hub-based unlock flow, in versions before 1.19.1, allows the use of hub+http and retrieves Hub endpoints from vault metadata without requiring HTTPS. This can lead to OAuth and key-loading traffic being transmitted over insecure HTTP connections, potentially exposing bearer tokens and endpoint trust decisions to interception and tampering by a network attacker. The issue is related to the handling of Hub endpoints and the lack of HTTPS enforcement during the unlock process.

Recommendations Update to version 1.19.1 or later.